While other MediaPost newsletters and articles remain free to all ... our new Research Intelligencer service is reserved for paid subscribers ...

Subscribe today to gain access to the every Research Intelligencer article we publish as well as the exclusive daily newsletter, full access to The MediaPost Cases, first-look research and daily insights from Joe Mandese, Editor in Chief.

Macy's Sued Over Reported Customer Data Breach

Macy’s has been hit
with a class-action lawsuit over a breach of customer data revealed last week.

The case, filed on Tuesday in the U.S. District Court for the Northern District of Alabama, charges that
Macy’s failed to protect personally identifiable information (PII) and that it waited almost a month to notify customers after discovering the cyberattack by a third party.

The complaint
states that “9,200 confirmed instances of fraud have already resulted from the Data Breach to date,” and that victims face ”years of constant surveillance of their financial and
personal records, monitoring, and loss of rights.”

The suit contends that the company’s protection of PII data was “lackadaisical, cavalier, reckless, and
negligent.”

The plaintiff, Anna Carroll, seeks restitution, punitive damages and orders prohibiting the alleged practices and failures going forward on behalf of herself and other
potential class members. The complaint says the amount in question exceeds $5 million, and asks that the court recognize the class.

advertisement

advertisement

In response to a query, a Macy’s spokesperson said the
company does not comment on ongoing litigation.

Macy’s notified customers on July 7 that a data breach had exposed email addresses, credit card and debut numbers, birthdays, profiles and
other data. The exposed information did not include Social Security numbers or the security numbers that appear on the backs of credit cards, although it did contain card expiration
dates.

The breach occurred when an unnamed third party accessed the data from an outside source, using valid passwords and user information. It took place from April 26 to June 12.

Carroll made purchases from Macy.com during the period, the complaint states.

Macy’s spokesperson Blair Rosenberg acknowledged the breach In a statement on July 8, saying that the
retailer is “aware of a data security incident involving a small number of our customers at macys.com and bloomingdales.com. We have investigated the matter thoroughly, addressed the cause and, as a precaution, have implemented additional security
measures.”

The complaint argues that Macy’s “stores massive amounts of PII on their servers and utilizes this information to maximize their profits through predictive
marketing and other marketing techniques.”

PII data Is “highly coveted and a frequent target of hackers,” the papers continue. “PII data is often easily taken because
it is less protected and regulated than payment card data.”